b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                      The Federal Student Aid Datashare\n                    Application Was Successfully Deployed,\n                         but Improvements in Systems\n                     Development Disciplines Are Needed\n\n\n\n                                       September 3, 2010\n\n                              Reference Number: 2010-20-099\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                  HIGHLIGHTS\n\n\nTHE FEDERAL STUDENT AID                               application and tested prior to deployment of the\nDATASHARE APPLICATION WAS                             application.\nSUCCESSFULLY DEPLOYED, BUT                            While the application was successfully deployed,\nIMPROVEMENTS IN SYSTEMS                               some system development processes needed\nDEVELOPMENT DISCIPLINES ARE                           improvement. The IRS took actions on many of\nNEEDED                                                our recommendations and observations during\n                                                      the course of our audit, and addressed the\n                                                      concerns TIGTA identified. However, some\nHighlights                                            actions had not been completed or developed by\n                                                      the time our review concluded. Specifically,\nFinal Report issued on September 3,                   controls over requirements management need\n2010                                                  strengthening to ensure test cases and\n                                                      requirement documents are fully developed; test\nHighlights of Reference Number: 2010-20-099           results should be documented timely and\nto the Internal Revenue Service Chief                 consistently and in a manner that minimizes the\nTechnology Officer.                                   potential for manipulation; and project team\n                                                      meetings should be documented to ensure\nIMPACT ON TAXPAYERS                                   significant decisions and followup action items\n                                                      are tracked and timely completed.\nThe Federal Student Aid Datashare application\nprovides a web-based method for taxpayers to          WHAT TIGTA RECOMMENDED\ncomplete the Department of Education\xe2\x80\x99s Free\nApplication for Federal Student Aid. Instead of       TIGTA recommended that the Chief Technology\nmanually entering their tax return information on     Officer ensure that the Systems Acceptability\nthe application form, taxpayers can now               Test team 1) uses consistent, documented\nautomatically transfer their tax return data to the   processes to generate a requirements\napplication form.                                     traceability matrix linking each requirement to a\n                                                      test case and 2) revises the applicable Internal\nWHY TIGTA DID THE AUDIT                               Revenue Manual to require that test results be\n                                                      recorded, documented, and verified consistently\nThis audit was initiated at the request of the        during test execution.\nAssociate Chief Information Officer for\nApplications Development. The Internal                In their response to the report, IRS officials\nRevenue Service (IRS) implemented the project         agreed to TIGTA\xe2\x80\x99s recommendations. IRS\nto assist the Department of Education initiative      management plans to revise the Internal\nto simplify the Federal student aid application       Revenue Manual Part 2.6.1 to add hyperlinks in\nprocess. Our objective was to determine               the Requirements Traceability Verification Matrix\nwhether the IRS followed the Enterprise Life          that connect directly to the associated test cases\nCycle in developing the project within the            and update the Test Results Section to require\nestablished time period and ensuring adequate         consistent recording, documentation, and\nsecurity was put in place to protect taxpayer         verification of test results.\ninformation.\nWHAT TIGTA FOUND\nThe IRS successfully developed and deployed\nthe Federal Student Aid Datashare application\non January 28, 2010. As of May 2010, more\nthan 264,750 taxpayers had used the application\nto automatically transfer their tax return\ninformation to the Federal student aid\napplication form. Security controls to safeguard\ntaxpayer information were built into the\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                          September 3, 2010\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 The Federal Student Aid Datashare Application\n                             Was Successfully Deployed, but Improvements in Systems\n                             Development Disciplines Are Needed (Audit # 200920031)\n\n This report presents the result of our review of the development of the Federal Student Aid\n Datashare project. The overall objective of this review was to determine whether the Internal\n Revenue Service (IRS) followed the Enterprise Life Cycle to develop the Federal Student Aid\n Datashare project within the established time period and to ensure adequate security was in place\n to protect taxpayer information. The audit was requested by the Associate Chief Information\n Officer for Applications Development and addresses the major management challenge of\n Modernization of the IRS.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix VI.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. Please contact me at (202) 622-6510 if you have questions or\n Alan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\n Services), at (202) 622-5894.\n\x0c                                    The Federal Student Aid Datashare Application\n                                   Was Successfully Deployed, but Improvements in\n                                    Systems Development Disciplines Are Needed\n\n\n\n\n                                             Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          The Federal Student Aid Datashare Application Was Successfully\n          Developed and Deployed..............................................................................Page 3\n          Improvements Are Needed in Several Systems Development\n          Disciplines.....................................................................................................Page 4\n                    Recommendation 1:..........................................................Page 7\n\n                    Recommendation 2:..........................................................Page 8\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 10\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 13\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 14\n          Appendix IV \xe2\x80\x93 Outcome Measure ................................................................Page 15\n          Appendix V \xe2\x80\x93 Glossary of Terms .................................................................Page 16\n          Appendix VI \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 18\n\x0c         The Federal Student Aid Datashare Application\n        Was Successfully Deployed, but Improvements in\n         Systems Development Disciplines Are Needed\n\n\n\n\n                Abbreviations\n\nDocIT       Document Management for Information Technology\nELC         Enterprise Life Cycle\nFSA-D       Federal Student Aid Datashare\nIRS         Internal Revenue Service\nSAT         Systems Acceptability Test\n\x0c                                  The Federal Student Aid Datashare Application\n                                 Was Successfully Deployed, but Improvements in\n                                  Systems Development Disciplines Are Needed\n\n\n\n\n                                                 Background\n\nThe Internal Revenue Service (IRS) developed the\nFederal Student Aid Datashare (FSA-D) project to                              The FSA-D system streamlines\nsupport the Department of Education initiative to                                  the Federal student aid\n                                                                                application process, making\nsimplify the Federal student aid application process.                          it more efficient for hundreds\nThe Department of Education requested that the IRS                               of thousands of taxpayers\ndevelop the FSA-D project prior to the next application                             to acquire the required\nperiod, which began in January 2010, and funded the                                tax return information.\ndevelopment costs of approximately $4.5 million.\nThe FSA-D is a web-based application designed to provide applicants 1 with their filed tax return\ninformation while they are accessing the Department of Education web site 2 to complete the\nFree Application for Federal Student Aid. While online, the applicants can retrieve information\nfrom their tax returns and have the option to automatically transfer the required tax return data to\ntheir application for Federal student aid. Prior to the deployment of the FSA-D, applicants were\nrequired to manually input their tax data using the hardcopy of their tax returns. The FSA-D\nstreamlines the process and makes it more efficient for hundreds of thousands of users to acquire\nthe required tax return information.\nThe FSA-D application functions via an IRS Internet link, which is available on the Department\nof Education web site. This link is the only way an applicant can directly access their filed tax\nreturn data required to complete the application form. The applicant must adhere to verification\nfeatures in order to gain access to the IRS Internet link and tax return data. The applicant\naccomplishes this access by creating a personal identification number and inputting requested\npersonal information on the Department of Education web site. The information that must be\ninput includes, but is not limited to, the applicant\xe2\x80\x99s first and last name, Social Security Number,\nand date of birth.\nOnce the personal identification number and the applicant\xe2\x80\x99s personal information are entered, the\nsystem takes the applicant to the IRS FSA-D application. The FSA-D application asks the\napplicant for additional personal data and allows the applicant to revise certain information, such\nas their address, to ensure the information entered into the FSA-D matches the information on\nthe tax return previously filed with the IRS. The FSA-D uses personal data input to verify that\nthe applicant is the taxpayer. After the system authenticates the taxpayer, the tax return\ninformation for the requested tax year is retrieved and displayed. While the tax return\ninformation is displayed on the computer screen, the applicant\xe2\x80\x99s options include 1) closing the\n\n1\n    An applicant can be the student, the student\xe2\x80\x99s spouse, or the parents of the student.\n2\n    The Department of Education web site may be accessed at fafsa.ed.gov.\n                                                                                                           Page 1\n\x0c                          The Federal Student Aid Datashare Application\n                         Was Successfully Deployed, but Improvements in\n                          Systems Development Disciplines Are Needed\n\n\n\nIRS session without accepting the tax data from the IRS, 2) transferring the tax return data\ndirectly into the application, or 3) printing the tax return data.\nThis review was requested by the Associate Chief Information Officer for Applications\nDevelopment and performed at the Modernization and Information Technology Services\norganization facilities in New Carrollton, Maryland, during the period July 2009 through\nMarch 2010. During our audit, we participated in meetings and briefings between IRS\nexecutives and the project team. As a result, when issues and concerns were identified, they\nwere immediately documented and reported to management along with audit recommendations\nfor corrective actions. During the audit, management implemented many of the\nrecommendations prior to deploying the FSA-D application; therefore, project changes or\nprogress occurring after system deployment may not be included in the audit analyses.\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objective. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objective. Detailed information on our audit\nobjective, scope, and methodology is presented in Appendix I. Major contributors to the report\nare listed in Appendix II.\n\n\n\n\n                                                                                               Page 2\n\x0c                                The Federal Student Aid Datashare Application\n                               Was Successfully Deployed, but Improvements in\n                                Systems Development Disciplines Are Needed\n\n\n\n\n                                        Results of Review\n\nThe Federal Student Aid Datashare Application Was Successfully\nDeveloped and Deployed\nThe IRS successfully developed and deployed the FSA-D application. The IRS project team\nbegan working in May 2009 and, with the assistance of a contractor, deployed the system\n9 months later on January 28, 2010. According to the May 2010 IRS report, more than\n264,750 taxpayers have used the FSA-D to automatically transfer their tax return information to\nthe Federal student aid application form. Currently, the FSA-D application allows users to\naccess only their filed 2008 tax returns in order to complete the application form. However, the\n2009 tax returns are scheduled to be available to taxpayers in the next phase of the FSA-D\napplication, which is planned for implementation in September 2010. The IRS staff has already\ninitiated development of the next phase.\nThe IRS convened a project team composed of personnel from the Modernization and\nInformation Technology Services organization and the Wage and Investment Division. Under\nthe leadership of the FSA-D project manager, weekly meetings were convened with the project\nteam, and development activities, including risks, were constantly coordinated and solutions\nwere jointly developed and promptly implemented. During weekly project team meetings, the\ngroup discussed activities on the FSA-D project schedule and made adjustments as necessary to\nensure the project remained on schedule.\nThe FSA-D project team held a series of weekly, biweekly, and monthly meetings to brief IRS\nexecutives. The executives participating in the briefings included the Chief Technology Officer,\nthe Associate Chief Information Officer for Applications Development, and the Wage and\nInvestment Division Business Modernization Executive. In addition, the Customer Services\nExecutive Steering Committee provided high-level executive oversight for the FSA-D project.\nAs required by the Enterprise Life Cycle (ELC), 3 the FSA-D project was subject to several tests\nbefore it was deployed. The tests completed included integration tests performed by the\nDepartment of Education staff and security tests performed by the IRS. The National Institute of\nStandards and Technology provides guidelines for selecting and specifying security controls for\nFederal information systems and organizations. Security controls are the safeguards employed\nwithin an information system to protect the confidentiality, integrity, and availability of the\nsystem and its information. Our analysis determined the IRS included the required security\ncontrols in its test plan and test cases. According to the test results, security controls were\n\n3\n    See Appendix V for a glossary of terms.\n                                                                                          Page 3\n\x0c                              The Federal Student Aid Datashare Application\n                             Was Successfully Deployed, but Improvements in\n                              Systems Development Disciplines Are Needed\n\n\n\nimplemented correctly and working as intended, and weaknesses identified during testing have\nbeen included in corrective action plans. 4 Following the security testing, the Wage and\nInvestment Division Business Modernization Executive approved the system to operate in the\nIRS environment.\n\nImprovements Are Needed in Several Systems Development\nDisciplines\nWhile the IRS successfully developed and deployed the FSA-D application to assist the\nDepartment of Education to more efficiently serve thousands of applicants for Federal student\naid, improvements are needed in several systems development processes.\n    \xe2\x80\xa2   Managing requirements \xe2\x80\x93 The FSA-D test team did not follow effective requirements\n        management processes. Specifically, the Requirements Traceability Matrix (traceability\n        matrix) and test cases were not sufficiently developed throughout the planning and\n        completion of testing.\n    \xe2\x80\xa2   Recording test results \xe2\x80\x93 Test results were not recorded timely and consistently, nor were\n        they recorded in a manner to minimize the potential for manipulation.\n    \xe2\x80\xa2   Documenting project team meetings \xe2\x80\x93 During project development activities, the results\n        of project team meetings were not documented for several weeks.\nThe FSA-D project manager implemented corrective actions immediately after being advised of\nmany of these concerns. However, additional actions need to be taken in order for the\nChief Technology Officer to improve systems development processes.\n\nRequirements management procedures were not effectively followed throughout\nplanning and completion of testing\nRequirements management is the process by which information technology project requirements\nof all types are defined, formalized, managed, controlled, and verified. The requirements\ndocumentation 5 and the traceability matrix are two of the primary controls used to document,\nmanage, and effectively trace requirements to test cases. The requirements documents, the\ntraceability matrix, and the test cases should be developed before initiation of testing activities.\nThe traceability matrix should be updated when changes occur and then accurately maintained\nthroughout the requirements management and testing processes.\n\n\n4\n  When vulnerabilities are identified during security testing, system owners are required to develop mitigation\nPlans of Action and Milestones and monitor the corrective actions until they are completed.\n5\n  The functional requirements for the FSA-D project were included in three separate documents: the Requirement\nSpecification Document, the Page Behavior Design Documents, and the Wireframes. These three documents\ndescribe the functionality or operation of the FSA-D system.\n                                                                                                         Page 4\n\x0c                            The Federal Student Aid Datashare Application\n                           Was Successfully Deployed, but Improvements in\n                            Systems Development Disciplines Are Needed\n\n\n\nThe traceability matrix and the Systems Acceptability Test (SAT) cases were not sufficiently\ndeveloped. The following are specific concerns identified during the audit:\n   \xe2\x80\xa2    Prior to the SAT, an analysis of the first 25 test cases was performed to determine the\n        accuracy and reliability of the traceability matrix. Due to insufficient details on the\n        traceability matrix, requirements could not be traced from the 25 test cases to the matrix.\n        For example, the traceability matrix should contain a reference number which uniquely\n        identifies each requirement being tested; however, 17 of the 25 test cases had a\n        requirement reference number that was not included on the traceability matrix.\n   \xe2\x80\xa2    In a comparison of the traceability matrix to 38 additional test cases performed during the\n        SAT, 110 discrepancies existed between the requirement details on the traceability matrix\n        and the 38 test cases. Figure 1 provides further information on the discrepancies.\n       Figure 1: Discrepancies Between the Traceability Matrix and Test Cases\n                                                  Number of Discrepancies Between the\n               Traceability Matrix                Traceability Matrix Categories and the\n                  Categories                      Information on the 38 SAT Test Cases\n         Requirement Specification\n                                                                    1\n         Document Version Number\n         Requirement Specification\n         Document Requirement                                      27\n         Identification Number\n         Page Behavior Design\n                                                                   17\n         Document Version Number\n         Page Behavior Design\n         Requirement Identification                                28\n         Number\n         Wireframe Document Version\n                                                                   12\n         Number\n         Wireframe Number                                          14\n         Requirement Description                                   11\n         Total Number of\n                                                                   110\n         Discrepancies Identified\n        Source: The requirements documentation and test cases.\n\n   \xe2\x80\xa2    Following finalization of the SAT, an accurate total of SAT test cases could not be\n        determined. Specifically, three sources reported conflicting numbers as to the total\n        number of SAT test cases performed. The Document Management for Information\n        Technology (DocIT) web site, a central repository used by the IRS to store documents,\n        showed 486 cases; the SAT End-of-Test Status Report showed 484 cases; and the\n\n                                                                                             Page 5\n\x0c                            The Federal Student Aid Datashare Application\n                           Was Successfully Deployed, but Improvements in\n                            Systems Development Disciplines Are Needed\n\n\n\n          Functional Configuration Audit report showed 422 cases. The reporting of inconsistent\n          final test results contributes to unreliable management information and could lead to\n          incorrect decisions by IRS management. During our review, we recommended that the\n          project manager determine the correct number of final SAT test cases and revise the\n          End-of-Test Status Report to accurately reflect the final total. The SAT test manager\n          concluded there were 472 final test cases, and the End-of-Test Status Report was revised\n          to show these 472 cases. 6\nThe aggressive time period and limited time schedule required to implement the FSA-D project\ncontributed to discrepancies between the traceability matrix and SAT test cases.\n      \xe2\x80\xa2   An effective requirements management process was not established. Specifically, the\n          Test, Assurance, and Documentation office test team performed the SAT without initially\n          developing a reliable traceability matrix and sufficiently completing all the test cases.\n      \xe2\x80\xa2   The SAT team concurrently developed test cases and prepared the traceability matrix.\n          However, as changes occurred to requirements and test cases, the traceability matrix was\n          not always updated to reflect the changes. The SAT test manager stated this occurred due\n          to the amount of revisions to requirements documentation. Specifically, the manager\n          believed it was not possible to completely update and cross-reference the traceability\n          matrix for each revision to the requirement documents and also complete the test\n          execution within the required time period.\n      \xe2\x80\xa2   The test analysts individually and manually prepared extensive test cases, possibly\n          causing the development of unnecessary or overlapping test cases. For instance, the test\n          manager determined that four test cases were waived because their conditions were\n          covered by other tests, and nine were duplicates of existing cases.\nWhen there are several sources that report conflicting requirements and test case data, the\npotential exists that not all requirements were tested, the IRS cannot ensure that the system is\nworking as intended, and the unreliable final test case data could lead to incorrect management\ndecisions.\nManagement Action: During the review, we discussed the discrepancies between the\ntraceability matrix and the SAT test cases with the project manager and recommended a\nthorough quality review of the traceability matrix, the requirements documentation, and the\nSAT test cases prior to deploying the project in January 2010 to ensure that all requirements are\nincluded in the test cases and tested during the SAT. The project manager agreed and provided\ninformation supporting that the quality review was completed and the requirements tested prior\nto deployment of the project.\n\n\n\n6\n    See Appendix IV.\n                                                                                             Page 6\n\x0c                             The Federal Student Aid Datashare Application\n                            Was Successfully Deployed, but Improvements in\n                             Systems Development Disciplines Are Needed\n\n\n\nRecommendation\nRecommendation 1: The Chief Technology Officer should ensure that the Test, Assurance,\nand Documentation office SAT test team uses consistent, documented processes to generate a\ntraceability matrix linking each requirement to a test case.\n        Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The\n        Associate Chief Information Officer for Applications Development plans to revise the\n        Requirements Traceability Verification Matrix contained in Internal Revenue Manual\n        Part 2.6.1 to include hyperlinks that will connect directly to the associated test cases.\n\nThe SAT test analysts did not record results timely and consistently\nDuring an observation of 3 testers performing 38 of 472 SAT test cases, we determined that not\nall test results were recorded consistently and timely. For example, one of the testers properly\ndocumented testing by immediately recording final results on test case printouts and completing\na followup edit at the conclusion of each test day. The other testers recorded their test results\ninconsistently during test performance by either manually transcribing test notes into electronic\ntest cases at the end of each test day or creating test notes based on memory and only at the end\nof each test week.\nWhen test results are not recorded until testing is complete, a risk exists that test results may not\nbe recorded accurately or at all. The Modernization and Information Technology Services\norganization has procedures 7 applicable to Systems Integration Testing that contain several\nguidelines for properly recording test results. Two such requirements include recording test\nresults during actual test execution and subsequently verifying the results by saving computer\nscreen images immediately after each test. In addition, while the tests are being performed, the\ntest manager should verify the results to ensure that objectives are achieved and sufficiently\ndocumented. The tester should also ensure all test result documentation is maintained in a test\nfolder and available for verification by the test manager. After verification, both the testers and\nproject managers are required to sign the test results certification form, which documents tests\nwere performed as required.\nThis situation occurred because the Test, Assurance, and Documentation office SAT test team\ndoes not have any formal procedures that require prompt recording of test results. The test team\nfollowed Internal Revenue Manual Part 2.6.1, Test, Assurance, and Documentation Standards\nand Procedures, which does not include detailed procedures requiring SAT testers to record test\nresults consistently, accurately, and timely during test execution.\n\n\n\n\n7\n Modernization and Information Technology Services organization procedure entitled \xe2\x80\x9cTest Folders and Records\nProcedure,\xe2\x80\x9d dated November 30, 2006.\n                                                                                                       Page 7\n\x0c                                 The Federal Student Aid Datashare Application\n                                Was Successfully Deployed, but Improvements in\n                                 Systems Development Disciplines Are Needed\n\n\n\nManagement Action: We discussed the inconsistent recording of test results with the\nSAT test manager, who then met with the test team and advised them of the expectation that they\nrecord test results consistently and promptly. The SAT test manager also agreed to review\nexisting Modernization and Information Technology Services organization procedures for\nrecording test results and implementing appropriate processes.\n\nRecommendation\nRecommendation 2: The Chief Technology Officer should update Internal Revenue Manual\nPart 2.6.1, Test, Assurance, and Documentation Standards and Procedures, to state that SAT test\nresults will be consistently recorded, documented, and verified during test execution.\n           Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The\n           Associate Chief Information Officer for Applications Development plans to update the\n           Test Results Section of Internal Revenue Manual Part 2.6.1 to require consistent\n           recording, documentation, and verification of test results during execution.\n\nThe Application Qualification Testing results were not protected from revisions\nThe FSA-D contractor 8 did not have adequate internal procedures and controls over the\nrecording and reporting of Application Qualification Testing results. The contractor\xe2\x80\x99s testers\nkept track of the test cases they completed along with notes on their test results in an Excel\nspreadsheet file. At the end of the testers\xe2\x80\x99 day, another contractor employee accessed the Excel\nresults file and converted the file to a Portable Document Format. This same employee then\nuploaded the Portable Document Format results file to the IRS DocIT web site. The contractor\xe2\x80\x99s\nexisting processes could allow for manipulation and changing of Application Qualification\nTesting results prior to the results being converted to the Portable Document Format file and\nuploaded to the IRS DocIT web site.\nEstablished processes should ensure that all project testing results provide objective and unedited\nevidence that the project satisfies the agreed-upon requirements. As a result, procedures should\nbe in place to ensure the results are safeguarded from potential alterations or any changes that\ncould compromise the test results. Best practices for good internal controls require the\nsegregation of certain key duties. In this instance, responsibilities for recording and reporting\ntest results should be separated.\nManagement Action: This concern was discussed with the project manager and we\nrecommended that the actual testers for the Application Qualification Testing be responsible for\nconverting their Excel results to \xe2\x80\x9cread only\xe2\x80\x9d Portable Document Format files before the\ndocuments are accessed by other employees and uploaded to the IRS DocIT web site. The\n\n\n8\n    The IRS contracted with a vendor to conduct the Application Qualification Testing.\n                                                                                            Page 8\n\x0c                          The Federal Student Aid Datashare Application\n                         Was Successfully Deployed, but Improvements in\n                          Systems Development Disciplines Are Needed\n\n\n\nFSA-D project manager agreed and worked with the contractor to require the testers convert their\ntest results to a \xe2\x80\x9cread only\xe2\x80\x9d Portable Document Format file at the end of testing each day.\n\nMinutes were not being prepared to capture and track the details of weekly\nproject meetings\nThe ELC requires details and decisions be documented on important project matters. According\nto project management best practices, formal minutes should be prepared to document decisions\nmade during project meetings. This ensures important project decisions and significant issues, as\nwell as any results from followup action items, are appropriately documented. Details and\ndecisions made during weekly FSA-D project meetings were not always recorded. After the\nFSA-D project was implemented, the project team continued for a month without documenting\nresults of details and decisions that occurred during weekly team meetings.\nThe FSA-D project team did not follow project management best practices. When minutes are\nnot prepared to document significant decisions and followup action items, the potential exists for\nimportant project actions to not receive tracking to ensure sufficient and timely completion.\nManagement Action: After the initial first few weeks of project meetings and discussions in\nwhich the Treasury Inspector General for Tax Administration participated, this issue was\ndiscussed with the FSA-D project manager who immediately required the preparation of minutes\nat the next project team meeting. Thereafter, all FSA-D meeting minutes were adequately\nprepared and complete results were documented.\n\n\n\n\n                                                                                           Page 9\n\x0c                                The Federal Student Aid Datashare Application\n                               Was Successfully Deployed, but Improvements in\n                                Systems Development Disciplines Are Needed\n\n\n\n                                                                                     Appendix I\n\n            Detailed Objective, Scope, and Methodology\n\nThe overall objective of our review was to determine whether the IRS followed the ELC 1 to\ndevelop the FSA-D project within the established time period and to ensure adequate security\nwas in place to protect taxpayer information.\nTo accomplish the overall objective, we:\nI.         Determined whether ELC guidelines were properly followed in the development of the\n           FSA-D project.\n           A. Determined if program management processes were used to manage and guide\n              project activities.\n               1. Obtained and reviewed documentation which provided evidence that the project\n                  followed ELC guidance, such as the project charter, the project management plan,\n                  the tailoring plan, and customer technical reviews.\n               2. Determined and documented how the project team gathered and managed\n                  requirements that included verifying with stakeholders that the requirements were\n                  complete, tracking and controlling changes to requirements, and ensuring that\n                  each requirement was included in a test case.\n               3. Determined and documented the risk management process to ensure all issues and\n                  risks were properly identified and tracked from inception to mitigation or\n                  resolution.\n           B. Determined whether the project team performed effective oversight and monitoring of\n              the project.\n               1. Regularly attended or called into the project team meetings, such as briefings of\n                  the Project Director, meetings of the executive steering committee, walkthroughs\n                  of the FSA-D project, meetings with stakeholders, risk management meetings,\n                  and meetings of the project team.\n               2. Obtained and reviewed documents from the project meetings in Step I.B.1.\n\n\n\n\n1\n    See Appendix V for a glossary of terms.\n                                                                                            Page 10\n\x0c                          The Federal Student Aid Datashare Application\n                         Was Successfully Deployed, but Improvements in\n                          Systems Development Disciplines Are Needed\n\n\n\nII.    Determined whether the project team adequately planned for and managed testing\n       activities.\n       A. Compared the traceability matrix, the Requirements Specification Document, and the\n          applicable test cases to ensure that each requirement was included in a test case.\n           1. Judgmentally selected and compared the first 25 of the 472 total population of\n              SAT test cases to the traceability matrix. We used a judgmental sample because\n              we were not planning to project our results.\n           2. Judgmentally selected and compared an additional 38 of the 472 SAT test cases to\n              the traceability matrix. We used a judgmental sample because we were not\n              planning to project our results.\n       B. Conducted onsite observations of the SAT and the security tests to verify that results\n          were accurately recorded.\n           1. Observed the testing and the recording of results for 38 of the 472 total population\n              of SAT test cases.\n           2. Observed the testing and recording of results for 28 of the 486 total population of\n              security test cases.\n       C. Obtained and reviewed the final results to ensure problems during Application\n          Qualification Testing, Security Test and Evaluation, performance, integration, and\n          SAT testing were resolved, including retesting failed requirements and properly\n          handling defects.\n       D. Determined whether the ELC guidelines and other applicable security guidelines were\n          followed to ensure authenticated taxpayers have secure access to their tax return\n          information.\n           1. Obtained and reviewed the security results contained in the Security Certification\n              and Accreditation Package.\n           2. Determined how the project team resolved the authentication risk.\nIII.   Obtained and reviewed the Reimbursable Agreement between the IRS and the\n       Department of Education to determine the funding source for the FSA-D project.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: ELC and related IRS guidelines, and the\n\n                                                                                          Page 11\n\x0c                          The Federal Student Aid Datashare Application\n                         Was Successfully Deployed, but Improvements in\n                          Systems Development Disciplines Are Needed\n\n\n\nprocesses followed in the development of information technology projects. We evaluated these\ncontrols by reviewing the guidelines, conducting interviews and meetings with management and\nstaff, and reviewing project documentation such as the project charter, various project plans, and\ntest case files which provided evidence of whether ELC systems development processes were\nfollowed.\n\n\n\n\n                                                                                          Page 12\n\x0c                         The Federal Student Aid Datashare Application\n                        Was Successfully Deployed, but Improvements in\n                         Systems Development Disciplines Are Needed\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nScott A. Macfarlane, Director\nKimberly R. Parmley, Audit Manager\nWallace C. Sims, Lead Auditor\nLouis Lee, Senior Auditor\nSuzanne M. Westcott, Senior Auditor\nDavid F. Allen, Program Analyst\n\n\n\n\n                                                                                     Page 13\n\x0c                       The Federal Student Aid Datashare Application\n                      Was Successfully Deployed, but Improvements in\n                       Systems Development Disciplines Are Needed\n\n\n\n                                                                          Appendix III\n\n                        Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nCommissioner, Wage and Investment Division SE:W\nChief Information Officer OS:CTO:CIO\nAssociate Chief Information Officer, Applications Development OS:CTO:AD\nDirector, Risk Management OS:CTO:SP:RM\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Commissioner, Wage and Investment Division SE:W\n       Director, Program Oversight OS:CTO:SP:RDM:PO\n\n\n\n\n                                                                                Page 14\n\x0c                          The Federal Student Aid Datashare Application\n                         Was Successfully Deployed, but Improvements in\n                          Systems Development Disciplines Are Needed\n\n\n\n                                                                                  Appendix IV\n\n                                Outcome Measure\n\nThis appendix presents detailed information on the measurable impact that our recommended\ncorrective action will have on tax administration. This benefit will be incorporated into our\nSemiannual Report to Congress.\n\nType and Value of Outcome Measure:\n\xe2\x80\xa2   Reliability of Information \xe2\x80\x93 Actual; the final number of SAT test cases reported was 472 (see\n    page 4).\n\nMethodology Used to Measure the Reported Benefit:\nThe IRS issued the SAT End-of-Test Status Report containing a total of 484 test cases, while\n486 actual SAT test cases were placed on the IRS DocIT web site. Reporting different SAT\ntesting results on multiple sources could lead to incorrect management decisions. We\nrecommended that the IRS determine the correct number of final test cases and revise the\nEnd-of-Test Status Report to accurately reflect the final total of test cases. The IRS agreed with\nour recommendation and determined the final total of SAT test cases is 472. Also, the\nEnd-of-Test Status Report has been revised to show the correct final total of SAT test cases.\n\n\n\n\n                                                                                           Page 15\n\x0c                    The Federal Student Aid Datashare Application\n                   Was Successfully Deployed, but Improvements in\n                    Systems Development Disciplines Are Needed\n\n\n\n                                                                     Appendix V\n\n                         Glossary of Terms\n\n                 Term                                 Definition\nApplication Qualification Testing    The testing phase focused on ensuring the\n                                     system is functioning as designed and it\n                                     includes business and design\n                                     requirements, data validation, hyperlinks,\n                                     and interface compatibility.\nEnterprise Life Cycle                A structured business systems\n                                     development method that requires the\n                                     preparation of specific work products\n                                     during different phases of the\n                                     development process. The ELC\n                                     establishes a set of repeatable processes\n                                     and a system of reviews, checkpoints, and\n                                     milestones that reduce the risks of systems\n                                     development and ensure alignment with\n                                     the overall business strategy.\nFunctional Configuration Audit       The audit performed by IRS staff to\n                                     independently verify whether or not the\n                                     system contains the functions expected.\n                                     This is usually accomplished by tracing\n                                     requirements to test scripts and\n                                     determining whether testing adequately\n                                     exercised the system\xe2\x80\x99s intended function.\nRequirement                          A formalization of a need and the\n                                     statement of a capability or condition that\n                                     a system, subsystem, or system\n                                     component must have or meet to satisfy a\n                                     contract, standard, or specification.\n\n\n\n\n                                                                             Page 16\n\x0c                   The Federal Student Aid Datashare Application\n                  Was Successfully Deployed, but Improvements in\n                   Systems Development Disciplines Are Needed\n\n\n\n                 Term                                 Definition\nRequirements Traceability Matrix     A matrix developed and continually\n                                     updated that links each requirement to a\n                                     test case. The matrix provides important\n                                     information on system testing and\n                                     functionality status.\nSystems Acceptability Testing        The process of testing a system or\n                                     program to ensure it meets the original\n                                     objectives outlined by the user in the\n                                     requirement analysis document.\nSystems Integration Testing          Systems Integration Testing verifies that\n                                     each individual work product\n                                     (i.e., application software, technical\n                                     infrastructure, facility, documentation, or\n                                     training material) still meets requirements\n                                     when integrated with the rest of the\n                                     release and the business system.\nTest, Assurance, and Documentation   The IRS office responsible for planning,\nOffice                               developing, scheduling, and conducting\n                                     the SAT on selected systems. This\n                                     includes providing an environment for\n                                     testing and integrating modernization and\n                                     production systems that emulate the target\n                                     environment. They also test the\n                                     acceptability of application software for\n                                     implementation ensuring only approved\n                                     and controlled versions of software are\n                                     deployed.\nTraceability                         The activity that maps requirements to\n                                     business processes, systems development\n                                     documents, and test cases.\n\n\n\n\n                                                                               Page 17\n\x0c         The Federal Student Aid Datashare Application\n        Was Successfully Deployed, but Improvements in\n         Systems Development Disciplines Are Needed\n\n\n\n                                                 Appendix VI\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                         Page 18\n\x0c The Federal Student Aid Datashare Application\nWas Successfully Deployed, but Improvements in\n Systems Development Disciplines Are Needed\n\n\n\n\n                                                 Page 19\n\x0c'